Why is it important to have a Cyber Security Policy?
If you own a business, it is important to have a cyber security policy. This is a guide and reference to be used internally with your employees and as a reference point to deal with any external data from customers.
Your Cyber Security policy should be thought of as a moving, changing entity that will need to be updated regularly to keep up with technological advancements, and any changes within your business.
What does your Cyber Security policy need to cover?
Firstly no two cyber security policies will be the same. Your Cyber Security policy will be unique to your business, depending on your particular type of business, and what kind of data you deal with.
The first thing you need to do is to identify the particular risks for your business. If you are an accountant, for example, your focus is on how you deal with customers’ personal information, bank details, IRD numbers etc.
Once you have worked to clarify your specific risks, you can then prepare for what to do if something goes wrong.
Having a clear plan in place means that everyone in your organisation knows what to do, who is responsible for what, and what processes you have in place to mitigate the risks.
You will also need to create two cyber security policies. One is an internal one for employees, and the second one is a public one for customers.
What needs to be included in the Policy?
The below information has been taken from the Cert NZ website.
Cert NZ suggests that you break your internal policy down into different areas.
This should cover how you handle data safely and securely — both your business’s data and your customers. Think about:
how much to collect
where you’ll store it (locally or in the cloud)
how to protect it, for example keeping data-at-rest (when stored) and in transit (when communicating) encrypted
how often you’ll back it up, and who’s responsible for doing backups.
It’s important to identify what systems you have, and which ones are critical to your work. Consider:
setting some rules around updating, or patching, your systems — how to make sure they’re done regularly and who’s responsible for making sure it happens
what systems your staff can use, including any cloud applications or software running inside your business’s network
how much access your staff need to your systems. You should ensure your staff only have the minimum level of access in each system they need to do their job. This is what’s called the ‘principle of least privilege'.
Security and protection
Security and protection covers how your staff and customers access your systems and data. It means thinking about:
how they can access your systems. For example, your staff may want to work remotely. They should do this by using secure tools, like VPN with 2FA.
how they authenticate themselves on your system. This includes your password policy and use of two-factor authentication
what devices your staff can use at work. This covers whether staff can use personal devices for work, or if you’ll provide devices to them.
People and users
You need to think about what you consider to be an acceptable use of your business’s systems. How do you expect your staff and your customers to interact with them? Make sure you set expectations, so they know:
what their responsibilities are
what kind of things they should report to you
how you expect them to take ownership of their accounts and their devices.
Physical devices and systems
When you think about protecting your business’s devices and systems, make sure you cover both:
protection against loss — if something is stolen, and
protection against the environment — for example, if your business is flooded during a storm and your devices are water damaged.
You can set rules around how your staff can protect their devices against theft by defining guidelines for their use. As an example, you could have all staff protect their devices by:
having strong passwords on them
using device encryption
setting rules for them about use outside the office.
Problems and incidents
You’ll need to define what you and your team will do when things go wrong. This means creating an incident response plan to map out what you’ll do during, and after, a security incident. It can be a stressful time for both you and your staff, so it’s good to be prepared in advance.
The GTB team can help you create a Cyber Security policy for your business and put the IT aspects of it into effect. We also work with independent cybersecurity experts - and can introduce you to them if you are looking for something a little more, or if you are wanting to approach cybersecurity from a whole business perspective. Reach out to us here, and we will be able to assist you.